s a n s . o r g / c u r r i c u l a / m a n a g e m e n tMGT-PSTR-CISO/SOC-0217-v2

Security Leadership

P O S T E R

v. 1.0

CISO Mind MapVersion 1.0

AND

Security Operations Center (SOC) Essential Functions

For Cyber Leaders of Today and Tomorrow

C U R R I C U L U MGet the right training to build and lead a world-class security team.

F O U N D A T I O N A L

MGT512SANS Security Leadership Essentials for Managers with Knowledge Compression™

GSLC

MGT525IT Project Management, Effective

Communication, and PMP® Exam Prep GCPM

MGT414SANS Training Program for

CISSP® Certification GISP

SEC566Implementing and Auditing the Critical

Security Controls – In-Depth GCCC

C O R E

LEG523Law of Data Security and Investigations

GLEG

MGT514IT Security Strategic Planning, Policy,

and Leadership

MGT415A Practical Introduction to

Cybersecurity Risk Management

MGT517Managing Security Operations:

Detection, Response, and Intelligence

S P E C I A L I Z A T I O N

MGT433Securing the Human:

How to Build, Maintain, and Measure a High-Impact Awareness Program

MGT305Technical Communication and Presentation Skills for Security

Professionals

AUD507Auditing & Monitoring Networks,

Perimeters, and Systems GSNA

Business Enablement

Product Security • Secure DevOps • Secure Development Lifecycle • Bug Bounties • Web, Mobile, Cloud AppSec Cloud Computing

• Cloud Security Architecture • Cloud Guidelines Mobile

• Bring Your Own Device (BYOD) • Mobile Policy Emerging Technologies

• Internet of Things (IoT) • Augmented Reality (AR) • Virtual Reality (VR) Mergers and Acquisitions

• Security Due Diligence

Risk Management Frameworks

Risk Assessment Methodology

Business Impact Analysis

Risk Assessment Process

Risk Analysis and Quantification

Security Awareness

Vulnerability Management

Vendor Risk Management

Physical Security

Disaster Recovery (DR)

Business Continuity Planning

Policies and Procedures

Risk Treatment • Mitigation Planning, Verification • Remediation, Cyber Insurance

Risk Management

Identity and Access Management

Provisioning/Deprovisioning Single Sign On (SSO) Federated Single Sign On (FSSO) Multi-Factor Authentication Role-Based Access Control (RBAC) Identity Store (LDAP, ActiveDirectory)

Security Operations

Prevention • Data Protection - Encryption, PKI, TLS - Data Loss Prevention (DLP) - Email Security • Network Security - Firewall, IDS/IPS, Proxy Filtering - VPN, Security Gateway - DDoS Protection • Application Security - Threat Modeling - Design Review - Secure Coding - Static Analysis - Web App Scanning - WAF, RASP • Endpoint Security - Antivirus, Anti-malware - HIDS/HIPS, FIM - App Whitelisting • Secure Configurations • Active Defense • Patching

Detection • Log Management/SIEM • Continuous Monitoring • Network Security Monitoring • NetFlow Analysis • Advanced Analytics • Threat Hunting • Penetration Testing • Red Team • Vulnerability Scanning • Human Sensor • Data Loss Prevention (DLP) • Security Operations Center (SOC) • Threat Intelligence • Threat Information Sharing • Industry Partnerships

Response • Incident Handling Plan • Breach Preparation • Tabletop Exercises • Forensic Analysis • Crisis Management • Breach Communications

Legal and Regulatory

Compliance • PCI • SOX • HIPAA • FFIEC, CAT • FERPA • NERC CIP • NIST SP 800-37

and 800-53

Privacy • Privacy Shield • EU GDPR

Audit • SSAE 16 • SOC 2 • ISO 27001 • FISMA and FedRAMP • NIST SP 800-53A • COSO

Investigations • eDiscovery • Forensics

Intellectual Property Protection

Contract Review

Customer Requirements

Lawsuit Risk

Leadership Skills

Business Strategy Industry Knowledge Business Acumen Communication Skills Presentation Skills Strategic Planning Technical Leadership Security Consulting

Stakeholder Management Negotiations Mission and Vision Values and Culture Roadmap Development Business Case Development Project Management Employee Development

Financial Planning Budgeting Innovation Marketing Leading Change Customer Relationships Team Building Mentoring

Based on CISO MindMap by Rafeeq Rehman @rafeeq_rehman http://rafeeqrehman.com Used with permission.

C I S O M I N D M A P

Strategy Business Alignment Risk Management Program Framework

• NIST CSF • ISO 27000 Control Frameworks

• NIST 800-53 • Critical Security

Controls (CSC) Program Structure Program Management Communications Plan

Roles and Responsibilities Workforce Planning Resource Management Data Classification Security Policy Creating a Security Culture Security Training

• Awareness Training • Role-Based Training Metrics and Reporting IT Portfolio Management Change Management Board Communications

Governance

NEW!

L E A D E RC Y B E R

S E C U R I T Y O P E R A T I O N S C E N T E R

Security Operations Center (SOC) Essential Functions

Internal Systems

Host ForensicsMEMORY AND DISK ACQUISITION

Network ForensicsLOG, EVENT INFO, AND PCAP ACQUISITION

Reverse Engineering

DEVICE, SOFTWARE, OR CODE ACQUISITION

Network and Related ArtifactsLOG SERVER NETWORK FULL PCAP

PROVIDE INFO RELATED TO CASE

• ANALYZE ASSET• MAINTAIN CHAIN OF CUSTODY• ENSURE ASSET INTEGRITY

HIGH-VALUE INDICATORS • LONG-TERM ANALYSIS• DATA MINING• STUDY OF INTERACTION

CORRELATE ALERTS AND LOG ENTRIES TO RAW DATA

HISTORICAL ASSESSMENT WITH NEW IOCs

Honeypots Full PCAP

NETWORK IDS

HOST IDS

WIRELESS IDSNETWORK LOGS HOST LOGS

APPLICATION LOGSMALWARE

DETONATION

Internal Information Sources

Open-Source Resources Attribution InfoINTERNAL THREAT ACTOR

ATTRIBUTION AND CHARACTERISTICS

COLLECT OPEN-SOURCE INFO

COLLECT INTERNAL ADVERSARY INFO

CORRELATE EVENTS TO THREAT ACTORS

RETAIN ADVERSARY CHARACTERISTICS

Network Security

MonitoringThreat

IntelligenceIncident

Response

• STATUS REPORTS• NEWS RELEASES• RECORDINGS• OUTREACH AWARENESS

• PROBLEM REPORTS • THIRD-PARTY NOTIFICATION• REPORT ILLEGAL ACTIVITY• SEEK ADVICE

Users or Help Desk Report Issue

Law Enforcement Public

Configuration Monitoring

• CREATE BASELINES

• IDENTIFY CONFIGURATION CHANGES

• MAINTAIN SYSTEMS

Vulnerability Assessment

• IDENTIFY RISK AND EXPOSURE

• SCAN SYSTEMS FOR KNOWN VULNERABILITIES

• IMPACT OF NEW VULNERABILITIES

Penetration Testing

• MODEL ATTACKER SCENARIOS

• EXPLOIT SYSTEMS

• RECONNAISSANCE, ORGANIZATIONAL INTELLIGENCE

• DECONFLICTION

Exercises

• TABLETOP SCENARIOS

• MODEL THREATS AND EVENTS

• TRAIN AND ASSESS STAFF

• DR/BCP

Command Center

Self AssessmentForensics

Outsourcing Pros

• Potential cost savings – building a SOC is expensive

• Fully trained and qualified staff

• Experience handling stressful situations

• Experience handling all types of security events effectively and efficiently

• Augments existing staff/fills gaps in hiring skills professionals

• Threat Intelligence – keeps you current on emerging threats

• Helps you leverage security intelligence across industries

• Industry information sharing

• Enables organizations to focus on core tasks

• Breaks down barriers in organizations where silos exist

• Enables 24x7x365 requirement

• Provides SLAs on how service will be provided

• Well-defined run book

Outsourcing Cons

• Unfamiliar with organization’s business drivers/industry

• Limited on depth of service and capabilities

• Optimizes its systems to scale and services a large volume of customers

• Large customer base, lacks intimate knowledge

• Lack of dedicated resources & support for your organization

• Focused on maximizing profits

• Lack of specialization, excels at providing standard security services vs. customized

• Minimal opportunities for correlation unless all data are sent to the MSSP

• Outsourced threat intelligence has a short lifespan

• No incentive to help improve your operations

• Limited ability to store data

Building a SOCWhat do you need to consider when utilizing a

Managed Security Service Provider (MSSP) vs. building a SOC in-house?

Getting C-Level Support to Ensure a High-Impact SOC Rollouthttp://www.sans.org/u/nnD

By John Pescatore

MSSP Onboarding ChecklistOrganizational Requirements

Defined ownership of security Good cultural fit Business partnership

Hiring Standards Background checks Credit checks Security clearance References Certifications

Adequately Staffed Staffing member ratios

Hiring Practices Drug tests Citizenship requirements

Suppliers, Partners, and Resellers Access to customer data Connection to network

Communication Tools Case management solution Information sharing portal Secure chat

Reports Metrics and dashboards Status delivery frequency MTTD, MTTR

Organizational Stability Years in business Financially stable SLAs and failover capability Exit strategy

Learn how to design, build, operate, and mature a Security Operations Center (SOC)

MGT517: Managing Security Operations: Detection, Response, and Intelligencewww.sans.org/MGT517

Business Units

Steering Committee

Management

Internal Systems

External Systems

ISOLATE AND CONTAIN ASSETS:• LOGICALLY• PHYSICALLY

OVERALL PROCESS

RETURN TO SERVICE

Incident response works with other SOC functions to:

• OBTAIN SUPPORT AND ANALYSIS

• PROVIDE STATUS AND REPORTING ERADICATE ISSUES